Expert: quick rescue to correctly identify system intrusion events

System intrusion is a very serious issue. to successfully prevent further intrusion by attackers and restore the system to normal as soon as possible, this requires us to promptly and correctly identify the occurrence of system intrusion events.

To this end, we must take necessary measures in advance to help us make correct judgments in a timely manner. These necessary measures include the use of appropriate tools and methods to detect and record system intrusion behaviors, and the use of appropriate tools or methods to promptly identify the authenticity of system intrusion events, make a correct judgment on the severity of system intrusion events.

1. Complete security settings that are conducive to detecting and recording system intrusions and accelerating System Recovery

1. Enable the audit function of the Operating System

For Windows systems, you can start the Group Policy Editor by entering the "gpedit. msc" command in the "Start"-"run" box. In the Group Policy Editor, choose computer configuration> windows Settings> Security Settings> Local Policy> Audit Policy ", then, you can enable review logon events, audit successful object access, and special use for successful review. You can also enable account logon events and successful account management events. After the system audit function is enabled, you can check the logs generated by the audit function on time to check whether unauthorized account logon events exist in the system, and what operations these accounts perform on the objects in the system, so that you can know whether the system has been intruded or has been intruded.

2. Install a firewall in the system

Currently, some mainstream Host-Based Firewalls can prevent most of the network attacks and record the attacks to the corresponding log files, some firewalls also record all daily network connection activities to corresponding log files. We can regularly view these firewall log files to understand what kind of network attacks the system has suffered in a certain period of time, and to check whether the network connection situation in a certain period of time is abnormal, to determine whether a system intrusion event has occurred.

3. Install the Intrusion Detection System (IDS) in the system)

Host-Based Intrusion Detection Systems (IDS), such as SNORT, can detect all network traffic entering the local machine and then compare them with their own attack feature libraries, when malicious network traffic or attack activity is detected, an alarm is triggered in a set manner and the content is recorded in the corresponding log file. When detecting system intrusion events through IDS alarms, we should also analyze the log file content generated by this alarm to determine whether the alarm is a real system intrusion event, and the severity of intrusion events. In order to reduce the error event response caused by false positives of IDS, correctly understand the severity of system intrusion events, and determine the correct recovery methods for subsequent system recovery, so as to timely and quickly restore the system.

In addition, by analyzing the log files of IDS, we can find the attacker's intrusion attack path and attack behavior, so that we can understand what the main cause of system intrusion is, in this way, after the system is restored, the vulnerabilities that cause system intrusion can be repaired in a timely manner to prevent such intrusion events.

4. Install system monitoring and network monitoring software in the system

Installing System Monitoring in the system allows us to know the status of services and processes running in the system in real time, so that we can detect abnormal services or system processes in the system in a timely manner, check whether the backdoor program is installed after attackers intrude into the system. Similarly, the network monitoring software is installed in the system to understand the real-time network connection with the system, so as to promptly detect abnormal network connections and open ports. For common users, xuanyuan meixiang believes that the "comprehensive system diagnosis" on the "common" page of 360 security guard can be used to understand the services, processes, and loaded modules in the current system, you can use the "Network Connection status" on the "advanced" page to monitor the current network connection status.

5. Save all log files to other storage devices.

Nowadays, most attackers use software or commands to modify the contents of log files, such as the system, firewall, and IDS, when they leave the system after they intrude into the system, some even delete all these log files to prevent users from discovering their whereabouts. Therefore, to ensure that we can obtain reliable information from these log files, we must save them to a dedicated storage device with hardware firewall protection. At the same time, the log files to be backed up can only be opened in read-only mode and cannot be copied, modified, or deleted.

In addition, if the log file size is relatively large, it can be compressed while synchronizing the backup. Similarly, because there are too many log files, it is difficult to find the necessary information through manual search. Therefore, we can use some automated log analysis software, periodically analyzes log files at a specified time to detect system intrusion events in a timely manner.

6. Back up important services and data in the system and system

Generally, it is impossible for small and medium-sized enterprises to establish a redundant system similar to the current system due to the need for cost control, system and data backup are the best and fastest way to restore the system and data to a specific period, and the best way to reduce losses. Therefore, we must back up important data in the system and the system.

You can create a full backup for data that does not change the status or data frequently in the system or system, daily Incremental backup should also be performed. If the objects backed up are changed at some time, such as installing new software, resetting system security options, and updating the system or software patch package, A full backup of the content should be performed again, and the new full backup should be stored separately from the old full backup.

As for the backup storage media, it can be a network storage device under firewall protection in the same network, or it can burn a fixed full backup to a CD and tape, by recording Incremental backup records to tapes or other reliable removable storage media, you can also back up the most important data remotely or store tapes and CDs in another place, to prevent natural disasters and man-made loss and damage of backups. No matter what media the backup is stored on and where it is stored, it should be stored separately by date and content, and the backup should also be checked regularly, to ensure that these backups are available as needed.

However, if we find that the system has been under the control of hackers for a long period of time, then the full backup of the system or data generated during this period is as follows, attackers may make modifications to the system and data, so they cannot be trusted. In this way, the system or data cannot be restored to the latest period, which will inevitably lead to corresponding losses, which is one of the main reasons for timely detection of system intrusion.

7. Prepare necessary tools.

In the process of system Intrusion Prevention and Recovery to computers, in order to improve the speed and efficiency of event processing, other third-party software, such as file integrity detection software, may also be used, weakness detection software, etc. We should prepare these software based on our actual needs and store them on mobile storage devices for safekeeping, this allows you to use it immediately after detecting system intrusion events.

2. promptly identify system intrusion events and their authenticity, and quickly determine the severity of intrusion events

To successfully prevent system intrusion, effectively restore the system to normal operation, and minimize intrusion losses, two important factors are critical: the first is to promptly identify intrusion events in the system, correctly identify the authenticity of the intrusion events, and determine the specific time of the intrusion events. The second is to quickly determine the scope of the impact of system intrusion events, the severity of the loss, and the severity of the loss.

If we do not prepare for system intrusion events and do not monitor the system operation and network connection status in real time, it is impossible to detect system intrusion events in time.

Therefore, during the normal operation of the system, we must constantly monitor and analyze the running status of the system in real time:

(1) check whether the system services and processes currently running in the system are normal;

(2) check whether the network connection established with the system is normal;

(3) Integrity check of system files and data on the premise that the file integrity file has been established;

(4) Check the status and permissions of the system account;

(5) Check the utilization of system resources and analyze the log files of security software such as the system, firewall, and IDS in real time by means of manual or real-time log monitoring software, to determine whether the current operating status of the system is normal.

All of these methods are methods for promptly discovering whether the system has been infiltrated. We should perform such a comprehensive check on the system on time, you can even use the vulnerability detection software to perform comprehensive vulnerability detection on the system to quickly understand the security status of the system.

After the system intrusion is confirmed correctly, the next step is to determine the authenticity of the intrusion event through manual analysis. This is because the system intrusion alert is obtained through the firewall installed on the system or IDS/IPS, because these software may have a false positive for intrusion events. Therefore, in order to reduce unnecessary system intrusion event processing due to false positives, it is necessary to confirm the authenticity of the system while detecting the system intrusion.

Similarly, after determining that the system has been intruded, we should analyze the specific time of the system intrusion event discovery and determine the scope and severity of the damage. Only by specifying the specific time when the system was intruded can Attackers know what vulnerabilities the system was using to intrude into the system and what aspects of the system should be detected, it is possible to know when the system should be restored before determining when the backup is effective. Only when the scope of system intrusion damage is determined can we know which data in the system is damaged and what needs to be restored before we can know what data should be immediately isolated or backed up, to determine the severity of system intrusion events. Only by classifying the severity of system intrusion events can the enterprise leaders know how to report to their superiors and make correct decisions. Only when the range and severity of system intrusion events are determined, during the subsequent system intrusion process, it is the fastest, most economical, and most effective way to deal with this intrusion event.

Generally, we should also divide system intrusion events into four major categories based on the attacker's purpose to intrude into the system. This will allow us to process the subsequent intrusion events, know what content needs to be restored for the main purpose.

1. intrusion events for the purpose of controlling the system;

2. intrusion events for the purpose of obtaining confidential data in the system;

3. intrusion events aimed at undermining confidential data in the system;

4. intrusion events aimed at damaging the system;

In any case, the above two aspects must be completed as required before system intrusion Processing